Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.17.8 | 4.17.8 |
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.9.14 | 5.9.14 |
Affected products
1Patches
17290d91639e5Merge branch 'advisory/GHSA-5pgf-h923-m958' into 4.x
2 files changed · +2 −1
CHANGELOG.md+1 −1 modified@@ -4,7 +4,7 @@ - The `PDO::MYSQL_ATTR_MULTI_STATEMENTS` attribute is no longer set by default for database connections. ([#18474](https://github.com/craftcms/cms/issues/18474)) - Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) access control vulnerability. (GHSA-6mrr-q3pj-h53w) -- Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) information disclosure vulnerability. (GHSA-3pvf-vxrv-hh9c) +- Fixed [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) information disclosure vulnerabilities. (GHSA-3pvf-vxrv-hh9c, GHSA-5pgf-h923-m958) ## 4.17.7 - 2026-02-24
src/controllers/AssetsController.php+1 −0 modified@@ -1149,6 +1149,7 @@ public function actionGenerateTransform(?int $transformId = null): Response throw new ServerErrorHttpException('Image transform cannot be created.', previous: $e); } } else { + $this->requirePermission('accessCp'); $assetId = $this->request->getRequiredBodyParam('assetId'); $handle = $this->request->getRequiredBodyParam('handle'); if (!is_string($handle)) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-3pvf-vxrv-hh9cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33158ghsaADVISORY
- github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860ghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/4.17.8ghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/5.9.14ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.